Computer  Security  in 
the  Federal  Market 

Jim  Kerrigan 
Director  of  Research 
INPUT,  Inc. 


INPUT 


Federal  Computer  Security  Climate 

• Why  write  a report? 

• Market  pressures  and  forces 

• Market  structure  and  forecast 

• Agency  threats  and  requirements 

• Agency  versus  vendor  views 
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Why  Write  a Report? 

• Market  uncertainty 

• Market  volatility 

• Over-promised  market 

• Ada  experience 
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Positive  Market  Pressures 

• Legislative  mandate 

• Greater  end-user  computing 

• More  information  sharing 

• Open  network  architecture 
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Positive  Market  Pressures 

• Greater  agency  awareness 

• Publicized  network  penetration 

• Dedicated  staffs 

• Oversight  activities 
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Oversight  Activities 

• Congress 

• NIST 

• GSA 

• GAO 

• 0MB 

• CSSAB 

• NSA 

• PCIE 
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Negative  Market  Pressures 

• Budget  constraints 

• Competing  priorities 

• Limited  actual  harm 

• No  follow-up  legislation 


INPUT 


Notes 


GOVO-JK-7 


© 1990  by  INPUT.  Reproduction  Prohibited. 


INPUT 


Negative  Market  Pressures 

• Poor  planning  effort 

- Integrity  and  availability  overlooked 

- User  organizations  ignored 

- Inconsistent  quality 

- Networking  not  addressed 

- Contractors  not  involved 
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Market  Structure — What's  In 

• Computer  security  equipment 

- Includes  Tempest  equipment 

• Software  products 

- UNIX  features 

- Network  security 


INPUT 


Notes 


GOVO-JK-9 


© 1990  by  INPUT.  Reproduction  Prohibited. 


INPUT 


Market  Structure — What's  In 

• Professional  services 

- Consulting 

- Education  and  training 

- Software  development 

- Systems  operations? 
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Market  Structure — What's  Out 

• Electronic  locking  systems 

• Fire  protection  systems 

• Encryption  devices 

• Retina  detection  systems 
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Overall  Market  Forecast 


13  Equipment  M Software  Q Professional 

Products  Services  INPUT 
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Network  Security 

• Estimate  ranges 

- $341  million 
-$2.1  billion 

• Our  estimate 

- $396  million 

- Flat  market 

- New  opportunities  in  civilian  market 
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Sensitive  Systems 


Other  DOD  (3,000)  Civilian  Agencies  (1 ,443) 


53,443  sensitive  systems 
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Reasons  for  System  Vulnerability 

• Mainframe  and  midsize 

- Networking  capability 

- Multiuser  availability 
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Reasons  for  System  Vulnerability 

• Microcomputers 

- Lack  of  controls 

- Diverse,  decentralized  use 

- Least  experienced  users 

- Minimal  security  guidelines 
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Perceived  Threats 

Respondents 

(Percent) 

Data  access 

74 

Data  manipulation 

42 

Software,  system  manipulation 

42 

Site  access  and  damage 

21 
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Planned  Security  Measures 

Respondents 

(Percent) 

Software  security  features 

37 

Security  training/awareness 

32 

Other  security  measures 

27 

Develop  contingency  plan 

18 

Conduct  risk  analysis 

14 
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Functional  Requirements 

Respondents 

(Percent) 

Network  security 

100 

End-user  access 

95 

Data  security 

91 

Physical  security 

86 
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Planned  Acquisitions 

Respondents 

(Percent) 

Software-driven  password  security 

82 

Security  training  tools 

77 

Secure  networking  products 

68 

Risk  management  analysis 

59 

Communications  security  products 

55 
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Planned  Acquisitions 

Respondents 

(Percent) 

Data  encryption  equipment 

55 

Other  contractor  support 

50 

Other  security  devices 

50 

Plan  preparation 

45 
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Planned  Acquisitions 

Respondents 

(Percent) 

Secure  UNIX-based  products 

41 

Secure  workstations 

38 

Tempest  products 

27 

Emission  control  devices 

14 
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Acquisition  Methods — 
Computer  Security  Products 

Respondents 

(Percent) 

GSA  schedules 

85 

RFP  for  specific  purchase 

60 

RFP  for  requirements  contract 

55 

Part  of  other  procurements 

40 

Other  methods 

20 
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Preferred  Vendors 


Agency 

Rank 

Vendor 

Rank 

Software 

1 

3 

Hardware 

2 

2 

Professional  services 

3 

4 

Systems  integrators 

4 

1 
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Reasons  for  Vendor 
Revenue  Increase 


Respondents 

(Percent) 

Increased  security 

29 

requirements 

New  products  available 

25 

Expanding  market 

25 

Increased  demand 

18 
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Leading  Agency  Opportunities 


Rank 

Treasury 

1 

Air  Force 

2 

NSA 

3 

Navy 

4 

Army 

5 
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Agency  Views 
Leading  Vendors 

• Comsis 

• Honeywell 

•IBM 
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Vendor  Views 
Leading  Vendors 

• Digital  Equipment  Corporation 
•AT&T 

•IBM 

• Honeywell 
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Notes 
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Agency  Suggestions 

• Increase  user  education 

• Integrate  security  into  software 

• Increase  government  orientation 

• Improve  availability 

• Improve  ease  of  implementation 
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\ 


Vendor  Suggestions 

• Improve  ease  of  use 

• Offer  interoperable  system 

• Improve  software  features 

• Lower  the  price 

• Standardize  security 
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other  Comparisons 

•Technological  trends 

• Industry  trends 

• Budget  constraints 

• DoD  versus  civilian  markets 
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Oversight  Activities 

• Congress 

•QSA 

•0MB 

•NSA 

•NIST 

•QAO 

• CSSAB 
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